Contributing Authors
Kevin Cardwell (CEH, ECSA, LPT) works as a freelance consultant and
provides consulting services for companies throughout the U.S., U.K., and
Europe. He is an adjunct associate professor for the University of Maryland
University College, where he participated in the team that developed the
Information Assurance Program for Graduate Students, which is recognized
as a Center of Excellence program by the National Security Agency (NSA).
He is an instructor and technical editor for computer forensics and hacking
courses. He has presented at the Blackhat USA Conference.
During a 22-period in the U.S. Navy, Kevin tested and evaluated
surveillance and weapon system software. Some of this work was on
projects like the Multi-Sensor Torpedo Alertment Processor (MSTRAP),
Tactical Decision Support System (TDSS), Computer Aided Dead
Reckoning Tracer (CADRT), Advanced Radar Periscope Discrimination
and Detection (ARPDD), and the Remote Mine Hunting System
(RMHS). He has worked as both a software and systems engineer on a
variety of Department of Defense projects and was selected to head the
team that built a Network Operations Center (NOC) that provided
services to the command ashore and ships at sea in the Norwegian Sea
and Atlantic Ocean. He served as the leading chief of information
security at the NOC for six years prior to retiring from the U.S. Navy.
During this time he was the leader of a five-person Red Team.
Kevin wishes to thank his mother, Sally; girlfriend, Loredana; and
daughter, Aspen, all of whom are sources of his inspiration. Kevin holds a
master’s degree from Southern Methodist University and is a member of
the IEEE and ACM. Kevin currently resides in Cornwall, England.
Timothy Clinton has held multiple roles in the EDD/ESI vendor space.
He is currently employed as forensics operations manager for the National
Technology Center division of Document Technologies, Inc. (DTI), a
major ESI service. Since joining the DTI team, Mr. Clinton has served in
multiple roles, including EDD production manager, technical architect,

v

FM-SA228.indd v

10/29/2007 7:53:14 PM


and forensic investigator. He has conducted and managed investigations
for numerous civil cases regarding matters for Fortune 50 of law.
Mr. Clinton’s most notable achievement while at DTI is being responsible
for the design and implementation of a showcase data forensics laboratory
in Atlanta, Georgia.
Tyler Cohen (CISSP) is employed by Computer Science Corporation
contracted as a researcher and developer for the Department of Defense
Cyber Crime Center. Her specialty is digital forensics and intrusions.
She is considered an expert in hacking and conducting forensic exams with
the iPod and other alternative media devices. She presents her expertise
at various conferences all over the country some of which include the
Department of Defense Cyber Crime Conference, International High
Technology Crime Investigation Association and The California District
Attorney’s Cyber Crime Conference.
Edward Collins (CISSP, CEH, Security+, MCSE:Security, MCT) is a
senior security analyst for CIAN, Inc., where he is responsible for
conducting penetration tests, threat analysis, and security audits. CIAN
(www.ciancenter.com) provides commercial businesses and government
agencies with all aspects of information security management, including
access control, penetration testing, audit procedures, incident response
handling, intrusion detection, and risk management. Edward is also a
training consultant, specializing in MCSE and Security+ certifications.
Edward’s background includes positions as information technology

manager at Aurora Flight Sciences and senior information technology
consultant at Titan Corporation.
James “Jim” Cornell (CFCE, CISSP, CEECS) is an employee of
Computer Sciences Corp. (CSC) and an instructor/course developer at
the Defense Cyber Investigations Training Academy (DCITA), which is
part of the Defense Cyber Crime Center (DC3) in Maryland. At the
academy he teaches network intrusions and investigations, online undercover techniques, and advanced log analysis. He has over 26 years of law
enforcement and over 35 years of electronics and computer experience.
He is a member/coach of the International Association of Computer
Investigative Specialists (IACIS) and a member of the International
Information Systems Forensics Association (IISFA) and the International
vi

FM-SA228.indd vi

10/29/2007 7:53:15 PM


Information Systems Security Certification Consortium (ISC2). He is
currently completing the Certified Technical Trainer (CTT+) process
and is a repeat speaker at the annual Department of Defense Cyber
Crime Conference.
He would like to thank his mother for more than he can say, his wife
for her patience and support, and Gilberto for being the best friend ever.
Michael Cross (MCSE, MCP+I, CNA, Network+) is an internet
specialist/programmer with the Niagara Regional Police Service. In addition to designing and maintaining the Niagara Regional Police’s Web site
(www.nrps.com) and intranet, he has also provided support and worked
in the areas of programming, hardware, database administration, graphic
design, and network administration. In 2007, he was awarded a Police
Commendation for work he did in developing a system to track high-risk

offenders and sexual offenders in the Niagara Region. As part of an
information technology team that provides support to a user base of over
1,000 civilian and uniformed users, his theory is that when the users
carry guns, you tend to be more motivated in solving their problems.
Michael was the first computer forensic analyst in the Niagara
Regional Police Service’s history, and for five years he performed
computer forensic examinations on computers involved in criminal
investigations. The computers he examined for evidence were involved
in a wide range of crimes, inclusive to homicides, fraud, and possession
of child pornography. In addition to this, he successfully tracked
numerous individuals electronically, as in cases involving threatening
e-mail. He has consulted and assisted in numerous cases dealing with
computer-related/Internet crimes and served as an expert witness on
computers for criminal trials.
Michael has previously taught as an instructor for IT training courses
on the Internet, Web development, programming, networking, and hardware repair. He is also seasoned in providing and assisting in presentations on Internet safety and other topics related to computers and the
Internet. Despite this experience as a speaker, he still finds his wife won’t
listen to him.
Michael also owns KnightWare, which provides computer-related
services like Web page design, and Bookworms, which provides online
sales of merchandise. He has been a freelance writer for over a decade
vii

FM-SA228.indd vii

10/29/2007 7:53:15 PM


and has been published over three dozen times in numerous books and
anthologies. When he isn’t writing or otherwise attached to a computer,

he spends as much time as possible with the joys of his life: his lovely
wife, Jennifer; darling daughter Sara; adorable daughter Emily; and
charming son Jason.
Larry Depew, PMP, is the director of the New Jersey Regional
Computer Forensic Laboratory (NJRCFL), a partnership between the
FBI and State of New Jersey that provides forensic examinations and
training to law enforcement in the field of digital forensics. He retired
from the Federal Bureau of Investigation (FBI) as a supervisory special
agent after nearly 32 years and is currently employed by the State of
New Jersey. Larry leads a laboratory of 24 forensic examiners from nine
law enforcement agencies servicing more than 550 federal, state, and local
law enforcement agencies in New Jersey and the surrounding region.
Larry oversaw the overall construction of the NJRCFL’s physical laboratory space and implemented a quality system for laboratory operations
to meet client quality requirements for digital forensic examinations,
law enforcement training, and expert testimony.
Prior to becoming director of the NJRCFL, Larry worked on several
information technology projects at the FBI in Washington, D.C., including developing user requirements for case management systems, and as
project manager for the deployment of the Investigative Data Warehouse
(IDWv1.0). Larry is an experienced digital forensic examiner who has
conducted more than 100 examinations and reviewed the output of
more than 1,000 examinations performed by NJRCFL examiners. His
digital forensic certifications include the FBI CART Forensic Examiner
(Windows, Linux, and personal data assistants) and steganography
investigator.
Larry chaired the FBI’s Computer Analysis Response Team’s (CART)
first Standard Operating Procedure and Quality System committee,
which formed the basis for today’s RCFL National Program and CART
Standard Operating Procedures.
Larry is an adjunct professor in digital forensics at The College of
New Jersey (TCNJ). He has also taught digital forensics at the New

Jersey Institute of Technology (NJIT). Larry is a project management
professional certified through the Project Management Institute. He has
viii

FM-SA228.indd viii

10/29/2007 7:53:15 PM


lectured at many government and private sector conferences on topics
relating to data management, workflow, computer security, and digital
forensics. He has appeared on the Fox network and the Philadelphia
ABC affiliate as an expert regarding digital evidence and Internet safety.
He has been interviewed by several national publications and regional
newspapers regarding digital evidence analysis, computer security, and
Internet safety.
Art Ehuan (CISSP, CFCE, EnCE) is a digital forensic expert with
senior management experience in developing and implementing digital
forensic facilities for corporations and the United States government.
Art previously managed the Information Security Department for
USAA, a Fortune 200 financial services company, where he developed
and implemented policies, process, and technology for a state-of-the-art
digital forensic facility for handling computer forensics and electronic
discovery. Art was previously the deputy chief information security
officer at Northrop Grumman, where he developed and implemented
three digital forensic facilities for the company. He also developed and
implemented Cisco Systems’ first digital investigative facility.
Art also has extensive government experience in digital forensics.
He was formerly an FBI special agent certified as a Computer Analysis
Response Team member and Air Force Office of Special Investigations

special agent certified as a computer crime investigator.
Art was formerly an adjunct professor at Georgetown University,
Duke University, and George Washington University, where he taught
undergraduate and graduate courses on computer forensics, incident
response, and computer crime.
Michael Gregg is the president of Superior Solutions, Inc. and has
more than 20 years’ experience in the IT field. He holds two associate’s
degrees, a bachelor’s degree, and a master’s degree and is certified as
CISSP, MCSE, MCT, CTT+, A+, N+, Security+, CNA, CCNA,
CIW Security Analyst, CCE, CEH, CHFI, CEI, DCNP, ES Dragon IDS,
ES Advanced Dragon IDS, and TICSA.
Michael’s primary duties are to serve as project lead for security
assessments helping businesses and state agencies secure their IT
resources and assets. Michael has authored four books, including: Inside
Network Security Assessment, CISSP Prep Questions, CISSP Exam Cram2,
ix

FM-SA228.indd ix

10/29/2007 7:53:15 PM


and Certified Ethical Hacker Exam Prep2. He also was the lead author for
Hack the Stack: Using Snort and Ethereal to Master the Eight Layers of an
Insecure Network (Syngress, ISBN: 9781597491099). He has developed
four high-level security classes, including Global Knowledge’s Advanced
Security Boot Camp, Intense School’s Professional Hacking Lab Guide,
ASPE’s Network Security Essentials, and Assessing Network
Vulnerabilities. He has created over 50 articles featured in magazines and
Web sites, including Certification Magazine, GoCertify, The El Paso Times,

and SearchSecurity.
Michael is also a faculty member of Villanova University and creator
of Villanova’s college-level security classes, including Essentials of IS
Security, Mastering IS Security, and Advanced Security Management.
He also serves as a site expert for four TechTarget sites, including
SearchNetworking, SearchSecurity, SearchMobileNetworking, and
SearchSmallBiz. He is a member of the TechTarget Editorial Board.
Captain Benjamin R. Jean has spent his entire law enforcement career
in the State of New Hampshire, starting in 1992 for the Deerfield Police
Department. He is currently employed as a Law Enforcement Training
Specialist for the New Hampshire Police Standards & Training Council
and is Chief of the Training Bureau. Captain Jean teaches classes in
various law enforcement topics, including computer crime investigation,
and is an active member of the New Hampshire Attorney General’s
Cyber Crime Initiative. He was recently awarded the 2006 Cyber Crime
Innovation Award and holds an Associate’s Degree in Criminal Justice
from New Hampshire Community Technical College and a Bachelor’s
Degree in Information Technology from Granite State College.
Kevin O’Shea is currently employed as a Homeland Security and
Intelligence Specialist in the Justiceworks program at the University of
New Hampshire. In this capacity, Mr. O’Shea supports the implementation of tools, technology, and training to assist law enforcement in the
investigation of crimes with a cyber component. In one of Kevin’s recent
projects, he was a technical consultant and developer of a training
program for a remote computer-forensics-viewing technology, which is
now in use by the state of New Hampshire. He also has developed a
computer-crime-investigative curriculum for the New Hampshire Police
Standards and Training.
x

FM-SA228.indd x


10/29/2007 7:53:15 PM


Kevin Reis (CISSP, CFE, GCFA, EnCE) has extensive public and
private sector experience in the fields of computer forensics, network
investigations, financial fraud investigations, and electronic discovery.
Kevin began his career conducting counterintelligence investigations as a
special agent with the Federal Bureau of Investigation (FBI), but he soon
joined the FBI Computer Analysis Response Team (CART). As a CART
field examiner, Kevin provided computer forensics support and technical
consultation to investigations ranging from financial institution fraud and
child pornography to espionage. Kevin then joined the National
Aeronautics and Space Administration (NASA) Office of Inspector
General (OIG) as a computer crime investigator (CCI), where he investigated computer and network intrusions at the Goddard Space Flight
Center. Following his tenure at NASA, Kevin entered the private sector,
working as a computer intrusion analyst at Aegis Research Corporation
and then as a senior associate with the Forensic Technology Services
practice of the Big Four accounting firm KPMG. While at KPMG,
Kevin provided computer forensics, data analysis, e-discovery, and
investigative services on financial fraud and civil litigation engagements.
Following the events of September 11, 2001, Kevin reentered public
service with the Department of Justice OIG as a special agent to build
the OIG’s computer forensics program. Kevin is currently a special agent
with the Federal Deposit Insurance Corporation OIG Electronic Crimes
Unit and a reserve Air Force Office of Special Investigations CCI.
Anthony Reyes is a retired New York City Police Department
Computer Crimes Detective. While employed for the NYPD,
he investigated computer intrusions, fraud, identity theft,
child exploitation, intellectual property theft, and software piracy.

He was an alternate member of New York Governor
George E. Pataki’s Cyber-Security Task Force, and he currently serves
as President for the High Technology Crime Investigation Association.
He is the Education & Training Working Group Chair for the
National Institute of Justice’s Electronic Crime Partner Initiative. Anthony
is also an Associate Editor for the Journal of Digital Forensic Practice and
an editor for The International Journal of Forensic Computer Science.
He is an Adjutant Professor and is the Chief Executive Officer for the
Arc Enterprises of New York, Inc. on Wall Street. Anthony has over 20 years
xi

FM-SA228.indd xi

10/29/2007 7:53:15 PM


of experience in the IT field. He teaches for several government agencies
and large corporations in the area of computer crime investigations, electronic discovery, and computer forensics. He also lectures around the world.
Karen Schuler is vice president of Consulting Practice Group. She
brings over 15 years of management, technology, forensics, and electronic
discovery experience to ONSITE3’s team of experts and specialists.
Karen’s experience ranges from the migration of data, enterprisewide
technology planning and implementation, forensic investigations to large
and complex litigation matters involving electronic discovery. As a former owner of a boutique computer forensics and security firm as well as
a contracted computer forensic examiner for the U.S. Securities and
Exchange Commission, she is an expert at understanding the intricate
details involved in providing admissible and defensible evidence.
Karen has a wide range of experience in dealing with change management, technology assessments, and investigations as they relate to large
corporate entities in the financial services industry, pharmaceutical, retail,
manufacturing, health care, and technology fields. In addition, she has

routinely been engaged on large, unwieldy electronic discovery projects
where an expert is required to oversee the methodologies as well as
provide recommendations for better practices.
Sondra Schneider is CEO and Founder of Security University, a Vienna,
VA-based Qualified Computer Security and Information Assurance
Training Company. For the past 18 years Sondra has been traveling around
the world training network professionals to be network and security
professionals. In 2004 she was awarded Entrepreneur of the Year at the First
Annual Woman of Innovation Awards from the Connecticut Technology
Council. She sits on the advisory board for three computer security
technology companies and is a frequent speaker at computer security and
wireless industry events. She is a founding member of the NYC HTCIA
and IETF, and she works closely with ISC2, ISSA, and ISACA chapters and
the vendor community to provide qualified computer security training and
feedback. Sondra holds the CISSP, CEH, ECSA, LPT, and CHFI credentials.
Amber Schroader has been involved in the field of computer forensics
for the past 17 years. Amber has developed and taught numerous training
courses for the computer forensic arena, specializing in the field of
xii

FM-SA228.indd xii

10/29/2007 7:53:15 PM


wireless forensics as well as mobile technologies. Amber is the CEO of
Paraben Corporation and continues to act as the driving force behind
some of the most innovative forensic technologies. As a pioneer in the
field, Amber has been key in developing new technology to help investigators with the extraction of digital evidence from hard drives, e-mail,
and handheld and mobile devices. Amber has extensive experience in

dealing with a wide array of forensic investigators ranging from federal,
state, local, and foreign government as well as corporate investigators.
With an aggressive development schedule, Amber continues to bring new
and exciting technology to the computer forensic community worldwide
and is dedicated to supporting the investigator through new technologies
and training services that are being provided through Paraben Corporation.
Amber is involved in many different computer investigation organizations,
including The Institute of Computer Forensic Professionals (ICFP) as the
chairman of the board, HTCIA, CFTT, and FLETC.
Amber currently resides in Utah and Virginia with her two children,
Azure and McCoy.
Jesse Varsalone (A+, Linux+, Net+, iNet+, Security+, Server+, CTT+,
CIW Professional, CWNA, CWSP, MCT, MCSA, MSCE 2000/2003,
MCSA/MCSE Security, MCSD, MCDBA, MCSD, CNA, CCNA,
MCDST, Oracle 8i/9i DBA, Certified Ethical Hacker) is a computer
forensic senior professional at CSC. For four years, he served as the
director of the MCSE and Network Security Program at the Computer
Career Institute at Johns Hopkins University. For the 2006 academic
year, he served as an assistant professor of computer information systems
at Villa Julie College in Baltimore, Maryland. He taught courses in
networking, Active Directory, Exchange, Cisco, and forensics.
Jesse holds a bachelor’s degree from George Mason University and a
master’s degree from the University of South Florida. He runs several
Web sites, including mcsecoach.com, which is dedicated to helping
people obtain their MCSE certification. He currently lives in Columbia,
Maryland, with his wife, Kim, and son, Mason.
Jack Wiles is a security professional with over 30 years’ experience in
security-related fields, including computer security, disaster recovery, and
physical security. He is a professional speaker and has trained federal agents,
corporate attorneys, and internal auditors on a number of computer

xiii

FM-SA228.indd xiii

10/29/2007 7:53:15 PM


crime-related topics. He is a pioneer in presenting on a number of subjects
that are now being labeled “Homeland Security” topics. Well over 10,000
people have attended one or more of his presentations since 1988. Jack is
also a cofounder and president of TheTrainingCo. He is in frequent
contact with members of many state and local law enforcement agencies
as well as special agents with the U.S. Secret Service, FBI, U.S. Customs,
Department of Justice, the Department of Defense, and numerous members of high-tech crime units. He was also appointed as the first president
of the North Carolina InfraGard chapter, which is now one of the largest
chapters in the country. He is also a founding member and “official” MC
of the U.S. Secret Service South Carolina Electronic Crimes Task Force.
Jack is also a Vietnam veteran who served with the 101st Airborne
Division in Vietnam in 1967-68. He recently retired from the U.S. Army
Reserves as a lieutenant colonel and was assigned directly to the Pentagon
for the final seven years of his career. In his spare time, he has been a senior
contributing editor for several local, national, and international magazines.
Craig Wright has personally conducted in excess of 1,200 IT securityrelated engagements for more than 120 Australian and international
organizations in the private and government sectors and now works for
BDO Kendall’s in Australia.
In addition to his consulting engagements, Craig has also authored
numerous IT security-related articles. He also has been involved with
designing the architecture for the world’s first online casino (Lasseter’s
Online) in the Northern Territory. He has designed and managed the
implementation of many of the systems that protected the Australian

Stock Exchange. He also developed and implemented the security
policies and procedural practices within Mahindra and Mahindra,
India’s largest vehicle manufacturer.
He holds (among others) the following industry certifications: CISSP
(ISSAP & ISSMP), CISA, CISM, CCE, GNSA, G7799, GWAS, GCFA,
GLEG, GSEC, GREM, GPCI, MCSE, and GSPA. He has completed
numerous degrees in a variety of fields and is currently completing both
a master’s degree in statistics (at Newcastle) and a master’s degree in law
(LLM) specializing in international commercial law (E-commerce Law).
Craig is planning to start his second doctorate, a PhD in economics and
law in the digital age, in early 2008.
xiv

FM-SA228.indd xiv

10/29/2007 7:53:15 PM


Chapter 1

Computer Forensics
in Today’s World

Solutions in this chapter:
■
■
■
■
■
■

■
■

■
■
■
■

■
■
■
■
■

Computer Forensics
History of Computer Forensics
Objectives of Computer Forensics
Computer Facilitated Crimes
Reasons for cyber attacks
Computer Forensics Flaws and risks
Mode of Attacks
Stages of Forensic Investigation in Tracking
Cyber Criminals
Rules of computer forensics
Digital Forensics
Approach the crime scene
Where and when do you use Computer
Forensics
Legal Issues
The Computer Forensics Lab

Laboratory Strategic Planning for Business
Elements of Facilities Build-out
Essential Laboratory Tools
1

Ch01-SA228.indd 1

10/29/2007 4:07:42 PM


2

Chapter 1 • Computer Forensics in Today’s World

Introduction
As is often the case with security compromises, it’s not a matter of if your company will be
compromised, but when.
If I had known the employee I hired was going to resign, break into my office, and
damage my computers in the span of three days, hindsight being 20/20, I would have sent
notification to the security guards at the front door placing them on high alert and made
sure he was not granted access to the building after he resigned. Of course, I in hindsight,
I should have done a better job of hiring critical personnel .He was hired as a computer
security analyst and security hacker instructor; and was (or should have been) the best
example of ethical conduct.
Clearly, we see only what we want to see when hiring staff and you won’t know
whether an employee is ethical until a compromise occurs. Even if my blinders had been off,
I would have never seen this compromise coming. It boggles the mind to think that anyone
would ruin or jeopardize his career in computer security for so little. But he did break into
the building and he did damage our computers, and therefore he will be held accountable
for his actions, as detailed in the following forensic information. Pay attention when the legal

issues are reviewed. You will learn bits and pieces regarding how to make your life easier by
knowing what you really need to know “when” your computer security compromise occurs.
Computer forensics is the preservation, identification, extraction, interpretation, and
documentation of computer evidence. In Chapter 9 of Cyber Crime Investigations, digital
forensics is referred to as “the scientific acquisition, analysis, and preservation of data
contained in electronic media whose information can be used as evidence in a court of
law.”1.
In the case involving the Hewlett-Packard board of directors, seasoned investigators
within HP and the primary subcontracting company sought clarity on an investigative
method they were implementing for an investigation. The investigators asked legal counsel to
determine whether the technique being used was legal or illegal. Legal counsel determined
that the technique fell within a gray area, and did not constitute an illegal act. As a result, the
investigators used it and were later arrested. This situation could befall any cyber crimes
investigator.
In the Hewlett-Packard case, legal counsel did not fully understand the laws relating to
such methodologies and technological issues. The lesson for investigators here is not to
assume that an action you’ve taken is legal just because corporate counsel told you it was.
This is especially true within the corporate arena. In the HP case, several investigators were
arrested, including legal counsel, for their actions.
This chapter will review computer security today, the history of computer forensics, and
its objectives. It will also discuss computer-facilitated crimes and the reasons for cyber crime,
as well as computer forensics flaws and risks, modes of attack, digital forensics, and the stages
of forensic investigation in tracking cyber criminals.
www.syngress.com

Ch01-SA228.indd 2

10/29/2007 4:07:43 PM



Computer Forensics in Today’s World • Chapter 1

3

History of Forensics
Forensics has been around since the dawn of justice. Cavemen had justice in rules set to
protect home and hearth. Francis Galton (1822–1911) made the first recorded study of
fingerprints, Leone Lattes (1887–1954) discovered blood groupings (A, B, AB, and 0), Calvin
Goddard (1891–1955) allowed firearms and bullet comparison for solving many pending
court cases, Albert Osborn (1858–1946) developed essential features of document examination,
Hans Gross (1847–1915) made use of scientific study to head criminal investigations. And in
1932, the FBI set up a lab to provide forensic services to all field agents and other law authorities across the country. When you look back at these historic forensic events, we see patterns
of confidence in the forensic information recovered and analyzed.You will see in book, today’s
computer forensics is clearly a new pattern of confidence, acceptance and analysis.

Objectives of Computer Forensics
Cyber activity has become an important part of the everyday lives of the general public.
According to the EC Council, eighty-five percent of businesses and government agencies
have detected a security breach. The examination of digital evidence (media) has provided
a medium for forensic investigators to focus on after an incident has occurred. The ultimate
goal of a computer forensic investigator is to determine the nature and events concerning
a crime and to locate the perpetrator by following a structured investigative procedure.
What is forensic computing? A methodical series of techniques and procedures for gathering evidence, from computing equipment and various
storage devices and digital media, that can be presented in a court of
law in a coherent and meaningful format.
—Dr. H.B. Wolfe

Investigators must apply the following two tests for evidence for both computer forensics
and physical forensics to survive in a court of law:
Authenticity Where does the evidence come from?

Reliability Is the evidence reliable and free of flaws?
With that said, when determining whether you want to conduct a computer crime
investigation, that should be predetermined through policy and what is “acceptable risk” to
your company.
Cyber crime includes the following:
■

Theft of intellectual property This pertains to any act that allows access
to patent, trade secrets, customer data, sales trends, and any confidential
information.
www.syngress.com

Ch01-SA228.indd 3

10/29/2007 4:07:43 PM


4

Chapter 1 • Computer Forensics in Today’s World
■

Damage of company service networks This can occur if someone plants a
Trojan horse, conducts a denial of service attack, installs an unauthorized modem,
or installs a back door to allow others to gain access to the network or system.

■

Financial fraud This pertains to anything that uses fraudulent solicitation
to prospective victims to conduct fraudulent transactions.


■

Hacker system penetrations These occur via the use of sniffers, rootkits,
and other tools that take advantage of vulnerabilities of systems or software.

■

Distribution and execution of viruses and worms These are some of
the most common forms of cyber crime.

Cyber crime comprises the “3 Ts”: tools to commit the crime, targets of the crime
(victim), and material that is tangential to the crime.
Cyber crime is motivated by many different things. Often it’s the thrill of the chase, and
a desire for script kiddies to learn. Sometimes cyber crime is committed by psychologically
motivated criminals who need to leave a mark, or simple misguided trust in other individuals that they are not leading you astray. Other times such crimes are committed by a person
or group that is out for revenge; perhaps it’s a thwarted employee or friend that wants to
embarrass the target. Most likely, a cyber criminal is being paid to gain information; hackers
involved in corporate espionage are the hardest to uncover and often are never seen.

Damage & Defense…
Curbing Computer Crime
Computer crime happens more often than car accidents, and car accidents occur four
times a minute in the United States. A defensive posture, security awareness training,
and continuous good communication help keep insider threats to a manageable
minimum.

Computer-Facilitated Crimes
Our dependency on the computer has given way to new criminal opportunities. Computers
are increasingly being used as a tool for committing crimes, and as such they are posing new

challenges for investigators, for the following reasons:
■

The proliferation of PCs and Internet access has made the exchange of
information quick and inexpensive.

www.syngress.com

Ch01-SA228.indd 4

10/29/2007 4:07:43 PM


Computer Forensics in Today’s World • Chapter 1
■

The use of easily available hacking tools and the proliferation of underground hacking groups have made it easier to commit cyber crimes.

■

Anonymity allows anyone to hide his identity while committing crimes.

■

E-mail spoofing, creating fake profiles, and committing identity theft are common occurrences, and there is nothing to stop it, making investigation difficult.

■

With cyber crimes, there is no collateral or forensic evidence, such as eye witnesses, fingerprints, or DNA, making these crimes much harder to prosecute.


5

Damage & Defense…
Bridging the Gaps
Real-Life Solutions: One of my first cases involved a woman whose ex-boyfriend was
impersonating her online. He created an online user profile using her personal information and her picture on a popular chat site. During his chats, while pretending to
be her, he solicited sexual acts from several men and gave her contact information to
them. This information included her home address. During several of these online
chats, he described a rape fantasy she wanted to fulfill with the men he was chatting
with. When discussing the case with the prosecutor’s office, we brainstormed about
the charges we would use. There were no identity theft laws in place at that time. So,
we decided to use traditional charges, including reckless endangerment, aggravated
harassment, and impersonation. Here is an outline of our justification for using these
statutes:
■

We selected reckless endangerment because the men were visiting the
victim’s home expecting to engage in sexual acts with her. These acts
included the rape fantasy that the suspect described during the online
chats. The reckless endangerment aspect of this crime was the possibility
of some male raping her because of the described rape fantasy the
suspect spoke about. Someone could have really raped her.

■

We selected aggravated harassment because of the number of phone calls
she was receiving day and night that were sexually explicit. In New York,
it covered the annoying phone calls the victim was getting.

■


We chose the charge of impersonation because the ex-boyfriend was
pretending to be her. This impersonation included more than him just
pretending to be her online. It included giving out all of her personal
information, along with her picture. Today, this would most probably be
covered under an identity theft law.

www.syngress.com

Ch01-SA228.indd 5

10/29/2007 4:07:43 PM


6

Chapter 1 • Computer Forensics in Today’s World

Reasons for Cyber Attacks
Today, cyber attacks are committed by individuals who are more organized. Cyber crime has
different connotations depending on the situation. Most of us equate cyber crime with what
we see on TV and in the news: porn, hackers gaining access to sensitive government information, identity theft, stolen passwords, and so on. In reality, these types of computer crimes
include more often than not, theft of intellectual property, damage of company service
networks, embezzlement, copyright piracy (software, movie, sound recording), child
pornography, planting of viruses and worms, password trafficking, e-mail bombing, and spam.
Cyber criminals are taught to be more technically advanced than the agencies that plan
to thwart them. And today’s criminals are more persistent than ever. According to the EC
Council, computer crime is any illegal act involving a computer, its system, or its applications.
A computer crime is intentional, not accidental (we discuss this in more detail in the “Legal
Issues” section, later in this chapter).


Computer Forensic Flaws and Risks
Computer forensics is in its developmental stage. It differs from other forensic sciences as
digital evidence is examined. There is a little theoretical knowledge to base assumptions for
analysis and standard empirical hypothesis testing when carried out lacks proper training or
standardization of tools, and lastly it is still more ‘art” than “science.

Modes of Attack
There are two categories of cyber crime, differentiated in terms of how the attack takes
place:
■

Insider attacks These involve a breach of trust from employees within an
organization.

■

External attacks These involve hackers hired by either an insider or an external
entity whose aim is to destroy a competitor’s reputation.

Stages of Forensic Investigation in
Tracking Computer Crime
A computer forensic investigator follows certain stages and procedures when working on a
case. First he identifies the crime, along with the computer and other tools used to commit
the crime. Then he gathers evidence and builds a suitable chain of custody. The investigator
must follow these procedures as thoroughly as possible. Once he recovers data, he must
image, duplicate, and replicate it, and then analyze the duplicated evidence. After the

www.syngress.com


Ch01-SA228.indd 6

10/29/2007 4:07:43 PM


Computer Forensics in Today’s World • Chapter 1

7

evidence has been analyzed, the investigator must act as an expert witness and present
the evidence in court. The investigator becomes the tool which law enforcement uses to
track and prosecute cyber criminals.
For a better understanding of the steps a forensic investigator typically follows, consider
the following, which would occur after an incident in which a server is compromised:
1. Company personnel call the corporate lawyer for legal advice.
2. The forensic investigator prepares a First Response of Procedures (FRP).
3. The forensic investigator seizes the evidence at the crime scene and transports it to
the forensic lab.
4. The forensic investigator prepares bit-stream images of the files and creates an MD5
# of the files.
5. The forensic investigator examines the evidence for proof of a crime, and prepares
an investigative report before concluding the investigation.
6. The forensic investigator hands the sensitive report information to the client, who
reviews it to see whether they want to press charges.
7. The FI destroys any sensitive client data.
It is very important that a forensic investigator follows all of these steps and that the
process contains no misinformation that could ruin his reputation or the reputation of an
organization.

Rules of Computer Forensics

A good forensic investigator should always follow these rules:
■

Examine original evidence as little as possible. Instead, examine the
duplicate evidence.

■

Follow the rules of evidence and do not tamper with the evidence.

■

Always prepare a chain of custody, and handle evidence with care.

■

Never exceed the knowledge base of the FI.

■

Make sure to document any changes in evidence.

If you stay within these parameters your case should be valuable and defensible.

Digital Forensics
Digital forensics includes preserving, collecting, confirming, identifying, analyzing, recording,
and presenting crime scene information.

www.syngress.com


Ch01-SA228.indd 7

10/29/2007 4:07:43 PM


8

Chapter 1 • Computer Forensics in Today’s World

Assessing the Case: Detecting/
Identifying the Event/Crime
In any type of investigation, the computer forensic examiner must follow an investigation
process. That process begins with the step of assessing the case, asking people questions, and
documenting the results in an effort to identify the crime and the location of the evidence.
Computer investigations are conducted on two types of computers: the computer used to
commit a crime, and computer that is the target of the crime.

Preservation of Evidence: Chain of Custody
Preserving the chain of custody is the next step. Identification of the evidence must be
preserved to maintain its integrity. A chain of evidence must be prepared to know who
handled the evidence, and every step taken by the forensic investigator must be documented for inclusion in the final report. Sometimes a computer and its related evidence
can determine the chain of events leading to a crime for the investigator as well as provide
the evidence which can lead to conviction.

NOTE
A chain of custody is the accurate documentation of the movement and
possession of a piece of evidence, from the time it is taken into custody until
it is delivered to the court. This documentation helps prevent allegations of
evidence tampering. It also proves that the evidence was stored in a legally
accepted location, and it documents who is in custody and control of the

evidence during the forensic testing phase.
A bit-stream image is an exact duplicate of a computer’s hard drive in
which the drive is copied from one drive to another, bit by bit. This image is
then authenticated to the original by matching a digital signature, which is
produced by a mathematical algorithm (usually the MD5 standard) to ensure
that no changes have occurred. This method has become the de facto
standard and is widely accepted by the industry and the legal system.

Collection: Data Recovery, Evidence Collection
Finding the evidence, discovering relevant data, preparing an Order of Volatility, eradicating
external avenues of alteration, gathering the evidence, and preparing a chain of custody are
the recommended processes for collecting data. After you collect data, you should create an
MD5 hash of the evidence. Prior to collection, one should do preliminary assessment to
search for the evidence. After the assessment is concluded, collect and seize the equipment
used in committing the crime, document the items collected, such as floppy disks, thumb
www.syngress.com

Ch01-SA228.indd 8

10/29/2007 4:07:43 PM


Computer Forensics in Today’s World • Chapter 1

9

drives, CDs, DVDs, and external back up drives. A photo of the crime scene should be taken
before removing the evidence.

Damage & Defense…

Hashes
Hashes use cryptographic algorithms to create a message digest of the data and represent it as a relatively small piece of data. The hash can be used to compare a hash of the
original data to the forensic copy. When the hashes match, it is accepted as proof that
the data is an exact copy. Although it has not been challenged yet, the traditional hashes
of CRC, MD5, and SHA1 have been cracked. Also, there are limitations in the sheer volume of 128 bit hashing algorithms such as MD5. There are only 2128 possible MD5 hashes.
If the large multi-terabyte file server being analyzed stores 2128 + 1 files, there absolutely
will be two different files with unique data with the same hash. Now it is understood
that 2128 is about 340 billion, and it would be an extremely large storage array of tiny
files, but this fact opens the door for doubt, which could ruin a criminal prosecution.
Although 2128 is still a huge number, as storage grows, it is not unrealistic to believe that
128 bit hashes will become an increasing issue. It will probably be an issue on large storage systems long before it becomes as big an issue on single workstations. The future
appears to be the use of the SHA-256 algorithm and other 256 bit hashes. For now, the
National Software Reference Library Hashes use the SHA-1 and MD5 algorithms.

After collecting all the information, the investigator can then list the steps that can be
taken during the investigation and then begin. Caution, it is not necessary to seize the entire
system. Identify the relevant data and copy that, otherwise it can result in over collection.

Notes from the Underground…
Suggested Tool Kit Contents
Your tool kit should contain the following components:
Hardware Target hard drives, write blocker, and cables (network, IDE, and SCSI)
Software Boot disks and drivers for both your forensic system and any
system you may encounter, especially for network cards
Continued

www.syngress.com

Ch01-SA228.indd 9


10/29/2007 4:07:44 PM


10

Chapter 1 • Computer Forensics in Today’s World

Tools Allen keys; large and small screwdrivers (standard, Phillips, and Torx)
Other content Labels , anti-static bags, pens and markers, blank media:
(CDs, DVDs), and a camera

TIP
Sterilize all the media to be used in the examination process, enter the crime
scene, take a snap shot of the scene and then carefully scan the data sources,
Retain and document the state and integrity of items at the crime scene then
transport the evidence to the forensic facility

Examination: Tracing, Filtering,
Extracting Hidden Data
The examination process follows the collection process. The computer forensic investigator
must trace, filter, and extract hidden data during the process. Some evidence cannot stay for
long. Such evidence is called volatile evidence because it needs consistent power supply
for storage. There is also evidence that contains the information that keeps changing.
Investigators must review registers and cache, routing tables, ARP cache, process tables, and
kernel statistics and modules.
Harlan Carvey looks at the Order of Volatility from a “live system” view. volatile data
must be preserved in order of volatility, with the most volatile data preserved first. This
applies to live systems for the most part, but the way in which we approach live systems will
become more important in the near future. An example of an order of recovery of system
data according to volatility looks like this:

■

Virtual memory Swap space or paging files

■

Physical disks The physical hard disks of a system

■

Backups Offline back-up media such as magnetic tape or other media: It is
extremely possibly the data you are looking for may not be on the system today,
but it was there yesterday and is on last night’s backup.

Analysis
Analysis of the data is greatly different from retrieving the evidence and depends greatly on
exactly how the copy is. There are various techniques to capture an exact forensic copy to copy
the evidence disk so you can analyze the data. Analysis should be done on the duplicate copy
www.syngress.com

Ch01-SA228.indd 10

10/29/2007 4:07:44 PM


Computer Forensics in Today’s World • Chapter 1

11

so that the original evidence can be protected from alteration because the first rule of forensics

is to preserve the original evidence. Once a copy is created, use the copy for further processes.
Analysis can be carried out using various forensic analysis tools such Encase, Access Data etc.

Damage & Defense…
Digital Evidence
When digital evidence is extracted from digital resources an investigator must:
Protect the subject computer system during the forensic examination from
any possible alteration, damage, data corruption, or virus introduction.
Discovers all files on the subject system.
This includes existing normal files, deleted yet remaining files, hidden
files, password-protected files, and encrypted files.
Recover all (or as much as possible) of discovered deleted files.
Reveal (to the extent possible) the contents of hidden files as well as
temporary or swap files used by both the application programs and the
operating system.
Access (if possible and if legally appropriate) the contents of protected or
encrypted files.
Analyze all possibly relevant data found in special areas of a disk.
This includes ‘unallocated’ space on a disk, ‘slack’ space in a file and disk cluster.
Print out an overall analysis of the subject computer system, as well as a
listing of all possibly relevant files and discovered file data.
Provides an opinion of the system layout, the file structures discovered, any
discovered data and authorship information, any attempts to hide, delete,
protect, encrypt information, and anything else that has been discovered
and appears to be relevant to the overall computer system examination.
Provide expert consultation and/or testimony, as required.

Approach the Crime Scene
Due to the presence of a majority of electronic documents, and the skills necessary to search
and identify data in a computer, combined with the fact that digital evidence is delicate in

nature for recovering deleted, encrypted or, corrupted files from a system there is a growing
need for Forensic Investigators to approach crime scenes.
www.syngress.com

Ch01-SA228.indd 11

10/29/2007 4:07:44 PM


12

Chapter 1 • Computer Forensics in Today’s World

An investigator, if trained properly, will ensure that no possible evidence is damaged,
destroyed, or compromised by the forensic procedures used to investigate the computer.
(Preservation of evidence).
No computer malware, or harmful software, is introduced to the computer being investigated. (Non-contamination of evidence). Any extracted or relevant evidence is properly
handled and protected from later mechanical or electromagnetic damage (extraction and
preservation of evidence). A continuing chain of custody is established and maintained
(Accountability of evidence).and that normal operations are effected for a limited amount
of time.(limited interference of the crime scene on normal life).

Where and When Do You Use
Computer Forensics?
When there is a need to provide Real Evidence such as reading bar codes, magnetic tapes
and to identify the occurrence of electronic transactions and reconstruct an incidence with
sequence of events. You use computer forensics when a breach of contract occurs, or if
copyright and intellectual property theft/misuse happens or during employee disputes
where there is damage to Resources.


Legal Issues
It is not always possible for a computer forensics expert to separate the legal issues
surrounding the evidence from the practical aspects of computer forensics Ex: The issues
related to authenticity, reliability and completeness and convincing. The approach of investigation diverges with change in technology. Evidence shown is to be untampered with and
fully accounted for, from the time of collection to the time of presentation to the court.
Hence, it must meet the relevant evidence laws

Damage & Defense…
Permission
When my company was broken into, I provided verbal permission to law enforcement
to search my facility and locate the missing computers. I also gave permission to turn
on one of the computers where we confirmed the x-employee had broken into the
building, stolen the computers, accessed the computers, erased intellectual property
and left the building hiding the computers.

www.syngress.com

Ch01-SA228.indd 12

10/29/2007 4:07:44 PM


Computer Forensics in Today’s World • Chapter 1

13

There are legal concerns, not just technical concerns. For example, for some forensic
monitoring activity a certain level of security may be legally required, or your ability to
monitor certain kinds of activities may be restricted. Also, should you ever need to prosecute;
your logs may not be admissible in court. Local and federal laws must be considered when

devising a security policy.
The computer revolution has given way to white collar crimes done on the internet.
Remote targets are compromised by malicious users daily. While investigating these crimes,
International issues can be raised as the electronic evidence necessary to prevent, investigate
or prosecute a crime is located outside the borders of the country and law enforcement must
seek assistance from law enforcement authorities in the different country. Preservation of
evidence or request for evidence can be made under mutual legal assistance agreements or if
no assistance is forthcoming through the Letters Rogatory process.
Consistency with all legal systems, the ability to implant confidence in the integrity of
evidence, allowances for the use of common language and applicability at ever level are
confronted by investigators.
Computer law is a large field. Areas of concern to security administrators are: what
constitutes illegal use of a computer, what you can and can’t do to detect or monitor it, the
status of any evidence you may collect, and your exposure to civil liability suits in event of a
security problem. Computer crime law is a new field. The statutes are quite recent, less than
10 years old with little case law for guidance. Interpretations may change, and the laws
themselves may change, as legislators react to newer threats.

The Computer Forensics Lab
The process of implementing and operating a computer forensics laboratory could be the
subject of an entire series of books. This chapter, however, will attempt to share a few ideas
regarding core concepts to be considered during the planning, construction and operation of
a data forensics facility. The chapter’s bias will be toward mid-level size operations (corporate
installations and stand-alone facilities) in order to demonstrate a diversity of concepts relating
to facilities planning, business operations and service offerings.
Recent changes to the Federal Rules of Civil Procedure (FRCP) in December 2006
have impacted the manner in which digital information is managed in civil litigation. The
FRCP formalized the role of digital information in a legal environment. The rules have
formally identified the role of Electronic Stored Information (ESI) and how it will be
handled and presented in a judicial setting.

The advent of personal computing empowered individuals to create and manage
information on a massive scale; the vast majority of information created now exists in digital
form on some type of computing system. An entire field of data analysis and digital investigation has evolved in response to the threat of wrongdoing in this digital realm. The technology (laptops, desktops, cell phones, the Internet) empowering individual productivity and
www.syngress.com

Ch01-SA228.indd 13

10/29/2007 4:07:44 PM


14

Chapter 1 • Computer Forensics in Today’s World

creativity is the same technology used to conduct activity against company policy or in
violation of the law. Corporate investigators and law enforcement officers need to have the
capability to investigate these types of digital transactions by identifying, recovering, analyzing and reporting on the digital facts. The role of data forensics analysis will be of increasing
importance to the legal system as information continues to evolve into the purely digital and
the systems upon which that information is stored become more technologically advanced.
The need and demand for expert forensics examiners and forensic data investigation facilities
will likewise be on the rise.

Laboratory Strategic Planning for Business
The topic of strategic planning for business development is a series of books unto itself.
A few points of interest will be touched upon as of special interest in developing a
forensics practice: philosophy of operation, core mission and services, revenue definition, and
SOP definition.

Philosophy of Operation
Every data forensics implementation will reflect four core modes of operation. From solopractitioner operations to government investigative arm, forensics implementations will

function according to a similar set of operating philosophies. The core four aspects of operation are the business operations aspect, the technology venue aspect, the scientific practice
aspect, and the artistic expression aspect. Regardless of scope, a computer forensics initiative
must pursue sound business practices, must function in the realm of high technology with
high technology talent as ongoing status quo and must foster excellence of method and
diverse, creative vision in solving technology investigation problems.

A Forensics Laboratory Is a Business Venue
Every computer forensics laboratory is a business venture. A 1099 contract solo investigator, a
commercial forensics department in the civilian litigation support space, a city/state police
crime lab, a law firm’s internal digital investigations group and a federal network of investigative facilities are all business venues that must behave according to the principles of sound
business management, financial profitability, core service provision, etc. A police crime lab
may not be pursuing profit per se, but that lab has to demonstrate value of service and ROI
(return on investment) in order to remain funded or acquire annual budget allocations and
new technologies to continue fighting crime. A solo practitioner must remain competitive in
the marketplace he/she serves with regard to cost, service provision, and continuing education. A corporate commercial forensics venture must demonstrate profitability and maintain
high standards for customer service and product quality in order to remain competitive in
the marketplace. A massive entity such as the United States government’s network of
www.syngress.com

Ch01-SA228.indd 14

10/29/2007 4:07:44 PM


Computer Forensics in Today’s World • Chapter 1

15

nationally distributed forensics facilities and allied investigative entities must still obey the
principles of good business management, seek operational excellence, and demonstrate value

for service and ROI to the United States Congress and Senate in order to remain funded.
Running a data forensics laboratory means running a good business at all levels of scope.

A Forensics Laboratory Is a Technology Venue
A data forensics facility of any size is the embodiment of front-of-the-wave mastery of data
and data storage technologies in all its’ various guises. Criminals often afford the newest
toys and desire the most complex technologies to hide their crimes from prying eyes, so the
data forensics community must always strive to master technology as fast as technology
evolves. The commercial consumer marketplace is always rolling out a new wave of the
newest, shiniest technologies available in order to keep up with consumer demand for
progress; again, the forensics community is at the front of the line, dismantling and
investigating every new gadget that hits the shelves in order to reveal its secrets.

A Forensics Laboratory Is a Scientific Venue
Understanding and implementing technology isn’t sufficient, however. The practice of any
branch of Forensics is a practice of Science. Examiners strive to perform their duties according to reliable, repeatable, valid, objective, consistent and accurate methodologies in order to
reveal facts objectively via empirical observation, deductive reasoning and conversion of
hypothesis to demonstrable proof of fact, thereby empowering the presentation of findings of
value to be put forth as facts of merit in the court of law.

A Forensics Laboratory Is an Artistic Venue
The investigative process is more than a rigid set of procedures. Intuition and creativity play
as great a role for the Forensic examiner as do sound methodologies. Fact finding in a wildly
diverse technological realm requires a great degree of technical prowess as well as a flexible
mind; forensic examiners often must be artisans of technology creation and deconstruction.
Raw technology skill does not empower an investigator to understand the interaction of
man and machine: intuitive awareness how the tools of technology and human nature,
human thought processes, and human frailties interact allows for much of the artistry and
creativity of forensic investigation to be revealed.


Core Mission and Services
Foremost in the consideration of a forensics facility design plan, decide what services the
facility is to provide and the scope at which it is to provide those services. A firm grasp of
the prospective laboratory’s core mission and scope of service will provide guidance on every
aspect of building and operating that forensic facility, touching on everything from annual
budget to furniture ergonomics. Based upon scope of service, a good forensics laboratory can
www.syngress.com

Ch01-SA228.indd 15

10/29/2007 4:07:44 PM